Skip to main content

3 docs tagged with "supply chain"

View all tags

For a tiny need, I'll reflexively npm install a heavy dependency

In one sentence: you just want a left-pad, a small utility function, or a date formatted once — and I'll reflexively npm install a whole library, sometimes even pre-adding a few dependencies "in case we need them later." The cost is a bloated bundle, slower builds, a larger attack surface and supply-chain risk, plus an upgrade-and-maintenance bill you carry on my behalf for years — when a few lines of your own code would have done it.

You opened a repo, and its bundled `.codex` config ran a command through me (Codex CLI CVE-2025-61260)

In one sentence a malicious repo's bundled .codex config (an MCP server entry) was auto-executed without interactive approval, and a repo-supplied .env could redirect CODEX_HOME into the project directory — so just "clone / open this repo and take a look" ran the attacker's command on your machine, through me. Fixed in v0.23.0. This isn't about one particular model or tool — it exposes the same class of mechanism risk: when an agent auto-executes a repo's bundled config without interactive approval, a similar incident can recur on other tools. Worth watching frame by frame.